National position of Germany (2021)

Introduction[edit | edit source]

This is the position of Germany on international law applicable to cyber operations. The position ^[1] has been prepared by the German Federal Foreign Office and the German Federal Ministry of Defence in cooperation with the German Federal Ministry of the Interior, Building and Community and published in March 2021.

Applicability of international law[edit | edit source]

"Germany is firmly convinced that international law is of critical importance when dealing with opportunities and risks related to the use of information and communication technologies in the international context. As a main pillar of a rules-based international order, international law as it stands provides binding guidance on States’ use and regulation of information and communication technologies and their defence against malicious cyber operations. In particular, the UN Charter fulfils a core function with regard to the maintenance of international peace and security – also in relation to cyber activities. In this regard, Germany reemphasizes its conviction that international law, including the UN Charter and international humanitarian law (IHL), applies without reservation in the context of cyberspace."^[2]

Sovereignty[edit | edit source]

"The legal principle of State sovereignty applies to States’ activities with regard to cyberspace. State sovereignty implies, inter alia, that a State retains a right of regulation, enforcement and adjudication (jurisdiction) with regard to both persons engaging in cyber activities and cyber infrastructure on its territory. It is limited only by relevant rules of international law, including international humanitarian law and international human rights law. Germany recognizes that due to the high degree of cross-border interconnectedness of cyber infrastructures, a State’s exercise of its jurisdiction may have unavoidable and immediate repercussions for the cyber infrastructure of other States. While this does not limit a State’s right to exercise its jurisdiction, due regard has to be given to potential adverse effects on third States.

By virtue of sovereignty, a State’s political independence is protected and it retains the right to freely choose its political, social, economic and cultural system. Inter alia, a State may generally decide freely which role information and communication technologies should play in its governmental, administrative and adjudicative proceedings. Foreign interference in the conduct of elections of a State may under certain circumstances constitute a breach of sovereignty or, if pursued by means of coercion, of the prohibition of wrongful intervention. Moreover, by virtue of its sovereignty, a State may decide freely over its foreign policy also in the field of information and communication technologies.

Furthermore, a State’s territorial sovereignty is protected. Due to the rootedness of all cyber activities in the actions of human beings using physical infrastructure, cyberspace is not a deterritorialized forum. In this regard, Germany underlines that there are no independent ‘cyber borders’ incongruent with a State’s physical borders which would limit or disregard the territorial scope of its sovereignty. Within its borders, a State has the exclusive right – within the framework of international law – to fully exercise its authority, which includes the protection of cyber activities, persons engaging therein as well as cyber infrastructures in the territory of a State against cyber and non-cyber-related interferences attributable to foreign States."^[3]

"Germany agrees with the view that cyber operations attributable to States which violate the sovereignty of another State are contrary to international law. In this regard, State sovereignty constitutes a legal norm in its own right and may apply directly as a general norm also in cases in which more specific rules applicable to State behaviour, such as the prohibition of intervention or the use of force, are not applicable. Violations of State sovereignty may inter alia involve its territorial dimension; in this regard, the following categories of cases may be relevant (without excluding the possibility of other cases):

Germany essentially concurs with the view proffered, inter alia, in the Tallinn Manual 2.0 that cyber operations attributable to a State which lead to physical effects and harm in the territory of another State constitute a violation of that State’s territorial sovereignty. This encompasses physical damage to cyber infrastructure components per se and physical effects of such damage on persons or on other infrastructure, i.e. cyber or analogue infrastructure components connected to the damaged cyber component or infrastructure located in the vicinity of the damaged cyber infrastructure (provided a sufficient causal link can be established).

Germany generally also concurs with the view expressed and discussed in the Tallinn Manual 2.0 that certain effects in form of functional impairments with regard to cyber infrastructures located in a State’s territory may constitute a violation of a State’s territorial sovereignty. In Germany’s view, this may also apply to certain substantial non-physical (i.e. software-related) functional impairments. In such situations, an evaluation of all relevant circumstances of the individual case will be necessary. If functional impairments result in substantive secondary or indirect physical effects in the territory of the target State (and a sufficient causal link to the cyber operation can be established), a violation of territorial sovereignty will appear highly probable.

In any case, negligible physical effects and functional impairments below a certain impact threshold cannot – taken by themselves – be deemed to constitute a violation of territorial sovereignty.

Generally, the fact that a piece of critical infrastructure (i.e. infrastructure which plays an indispensable role in ensuring the functioning of the State and its society) or a company of special public interest in the territory of a State has been affected may indicate that a State’s territorial sovereignty has been violated. However, this cannot in and of itself constitute a violation, inter alia because uniform international definitions of the terms do not yet exist. Also, cyber operations in which infrastructures and/or companies which do not qualify as ‘critical’ or ‘of particular public interest’ are affected may likewise violate the territorial sovereignty of a State."^[4]

Due diligence[edit | edit source]

"As a corollary to the rights conferred on States by the rule of territorial sovereignty, States are under an ‘obligation not to allow knowingly their territory to be used for acts contrary to the rights of other States’ – this generally applies to such use by State and non-State actors. The ‘due diligence principle’, which is widely recognized in international law, is applicable to the cyber context as well and gains particular relevance here because of the vast interconnectedness of cyber systems and infrastructures."^[5]

"[..] a State may also become liable under international law in connection with another State’s or a non-State actor’s actions if the first State fails to abide by its obligations stemming from the ‘due diligence’ principle."^[6]

Prohibition of intervention[edit | edit source]

"The prohibition of a wrongful intervention between States is not explicitly mentioned in the UN Charter. However, it is a corollary of the sovereignty principle, can be derived from art. 2 para. 1 UN Charter and is grounded in customary international law. Generally, for State-attributable conduct to qualify as a wrongful intervention, the conduct must (1) interfere with the domaine réservé of a foreign State and (2) involve coercion. Especially the definition of the latter element requires further clarification in the cyber context.

In its Nicaragua judgement, the International Court of Justice (ICJ) held that ‘[t]he element of coercion, which defines, and indeed forms the very essence of, prohibited intervention, is particularly obvious in the case of an intervention which uses force, either in the direct form of military action, or in the indirect form of support for subversive or terrorist armed activities within another State.’ Malicious cyber activities will only in some cases amount to direct or indirect use of force. However, measures below this threshold may also qualify as coercive. Generally, Germany is of the opinion that cyber measures may constitute a prohibited intervention under international law if they are comparable in scale and effect to coercion in non-cyber contexts.

Coercion implies that a State’s internal processes regarding aspects pertaining to its domaine réservé are significantly influenced or thwarted and that its will is manifestly bent by the foreign State’s conduct. However, as is widely accepted, the element of coercion must not be assumed prematurely. Even harsher forms of communication such as pointed commentary and sharp criticism as well as (persistent) attempts to obtain, through discussion, a certain reaction or the performance of a certain measure from another State do not as such qualify as coercion. Moreover, the acting State must intend to intervene in the internal affairs of the target State – otherwise the scope of the non-intervention principle would be unduly broad.

In the context of wrongful intervention, the problem of foreign electoral interference by means of malicious cyber activities has become particularly virulent. Germany generally agrees with the opinion that malicious cyber activities targeting foreign elections may – either individually or as part of a wider campaign involving cyber and non-cyber-related tactics – constitute a wrongful intervention. For example, it is conceivable that a State, by spreading disinformation via the internet, may deliberately incite violent political upheaval, riots and/or civil strife in a foreign country, thereby significantly impeding the orderly conduct of an election and the casting of ballots. Such activities may be comparable in scale and effect to the support of insurgents and may hence be akin to coercion in the above-mentioned sense. A detailed assessment of the individual case would be necessary.

Also, the disabling of election infrastructure and technology such as electronic ballots, etc. by malicious cyber activities may constitute a prohibited intervention, in particular if this compromises or even prevents the holding of an election, or if the results of an election are thereby substantially modified.

Furthermore, beyond the mentioned examples, cyber activities targeting elections may be comparable in scale and effect to coercion if they aim at and result in a substantive disturbance or even permanent change of the political system of the targeted State, i.e. by significantly eroding public trust in a State’s political organs and processes, by seriously impeding important State organs in the fulfilment of their functions or by dissuading significant groups of citizens from voting, thereby undermining the meaningfulness of an election. Due to the complexity and singularity of such scenarios, it is difficult to formulate abstract criteria. Discussions in this context are still ongoing."^[7]

Use of force[edit | edit source]

"So far, the vast majority of malicious cyber operations fall outside the scope of ‘force’. However, cyber operations might in extremis fall within the scope of the prohibition of the use of force and thus constitute a breach of art. 2 para. 4 UN Charter.

The ICJ has stated in its Nuclear Weapons opinion that Charter provisions ‘apply to any use of force, regardless of the weapons employed.’ Germany shares the view that with regard to the definition of ‘use of force’, emphasis needs to be put on the effects rather than on the means used.

Cyber operations can cross the threshold into use of force and cause significant damage in two ways. Firstly, they can be part of a wider kinetic attack. In such cases they are one component of a wider operation clearly involving the use of physical force, and can be assessed within the examination of the wider incident. Secondly, outside the wider context of a kinetic military operation, cyber operations can by themselves cause serious harm and may result in massive casualties.

With regard to the latter case, Germany shares the view expressed in the Tallinn Manual 2.0: the threshold of use of force in cyber operations is defined, in analogy to the ICJ’s Nicaragua judgement, by the scale and effects of such a cyber operation. Whenever scale and effects of a cyber operation are comparable to those of a traditional kinetic use of force, it would constitute a breach of art. 2 para. 4 UN Charter.

The determination of a cyber operation as having crossed the threshold of a prohibited use of force is a decision to be taken on a case-by-case basis. Based on the assessment of the scale and effects of the operation, the broader context of the situation and the significance of the malicious cyber operation will have to be taken into account. Qualitative criteria which may play a role in the assessment are, inter alia, the severity of the interference, the immediacy of its effects, the degree of intrusion into a foreign cyber infrastructure and the degree of organization and coordination of the malicious cyber operation."^[8]

International humanitarian law (jus in bello)[edit | edit source]

"Germany reiterates its view that IHL applies to cyber activities in the context of armed conflict. The fact that cyberspace as a domain of warfare was unknown at the time when the core treaties of IHL were drafted does not exempt the conduct of hostilities in cyberspace from the application of IHL. As for any other military operation, IHL applies to cyber operations conducted in the context of an armed conflict independently of its qualification as lawful or unlawful from the perspective of the ius ad bellum.

An international armed conflict – a main prerequisite for the applicability of IHL in a concrete case – is characterized by armed hostilities between States. This may also encompass hostilities that are partially or totally conducted by using cyber means. Germany holds the view that cyber operations of a non-international character, e.g. of armed groups against a State, which reach a sufficient extent, duration, or intensity (as opposed to acts of limited impact) may be considered a non-international armed conflict and thereby also trigger the application of IHL.

At the same time, cyber actions can become part of an ongoing armed conflict. In order to fall within the ambit of IHL, the cyber operation must show a sufficient nexus with the armed conflict, i.e. the cyber operation must be conducted by a party to the conflict against its opponent and must contribute to its military effort.

Cyber operations between a non-State actor and a State alone may provoke a non-international armed conflict. However, this will only seldom be the case due to the level of intensity, impact and extent of hostilities required. Thus, activities such as a large-scale intrusion into foreign cyber systems, significant data theft, the blocking of internet services and the defacing of governmental channels or websites will usually not singularly and in themselves bring about a non-international armed conflict."^[9]

"The basic principles governing the conduct of hostilities, including by cyber means, such as the principles of distinction, proportionality, precautions in attack and the prohibition of unnecessary suffering and superfluous injury, apply to cyber attacks in international as well as in non-international armed conflicts."^[10]

Attack (international humanitarian law)[edit | edit source]

"Germany defines a cyber attack in the context of IHL as an act or action initiated in or through cyberspace to cause harmful effects on communication, information or other electronic systems, on the information that is stored, processed or transmitted on these systems or on physical objects or persons. The occurrence of physical damage, injury or death to persons or damage or destruction to objects comparable to effects of conventional weapons is not required for an attack in the sense of art. 49 para. 1 Additional Protocol I to the Geneva Conventions. However, the mere intrusion into foreign networks and the copying of data does not constitute an attack under IHL."^[11]

Direct participation in hostilities[edit | edit source]

"The principle of distinction obliges States to differentiate between military and civilian objects, as well as between civilians, on the one hand, and combatants, members of organized armed groups and civilians taking direct part in hostilities, on the other hand. While IHL does not prohibit an attack on the latter, civilians (not taking direct part in hostilities) and civilian objects must be spared.

Civilians operating in cyberspace can be considered as taking direct part in hostilities with the result of losing their protection from attack and the effects of the hostilities, provided the following conditions are met: Their acts are likely to adversely affect the military operations or military capacity of a party, there is a direct causal link between their acts and the adverse effects and the acts are specifically designed to inflict harm in support of a party to an armed conflict and to the detriment of another (belligerent nexus). Thus, Germany agrees with the view that, for example, ‘electronic interference with military computer networks […], whether through computer network attacks or computer network exploitation, as well as wiretapping […] [of an] adversary’s high command or transmitting tactical targeting information for an attack’, could suffice in order to consider a civilian person as directly participating in hostilities."^[12]

Military objectives[edit | edit source]

"[...] a civilian object like a computer, computer networks, and cyber infrastructure, or even data stocks, can become a military target, if used either for both civilian and military purposes or exclusively for the latter. However, in cases of doubt, the determination that a civilian computer is in fact used to make an effective contribution to military action may only be made after a careful assessment. Should substantive doubts remain as to the military use of the object under consideration, it shall be presumed not to be so used.

The benchmark for the application of the principle of distinction is the effect caused by a cyber attack, irrespective of whether it is exercised in an offensive or a defensive context. Thus, computer viruses designed to spread their harmful effects uncontrollably cannot distinguish properly between military and civilian computer systems as is required under IHL and their use is therefore prohibited as an indiscriminate attack. In contrast, malware that spreads widely into civilian systems but damages only a specific military target does not violate the principle of distinction. Given the complexity of cyber attacks, the limited options to comprehensively appraise their nature and effects and the high probability of an impact on civilian systems, having recourse to the appropriate expertise to assess potential indiscriminate effects throughout the mission planning process is of key importance to Germany.

A cyber attack directed against a military target which is nevertheless expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof, is also prohibited under IHL if such incidental effects would be excessive in relation to the concrete and direct military advantage anticipated. If a cyber attack is executed in conjunction with other forms of military action, such as attacks with conventional weapons directed against the same installation, the military advantage and the collateral damage must be considered with regard to the ‘attack […] as a whole and not only […] [with regard to] isolated or particular parts of the attack.’

Assessing collateral damage and incidental injury or loss of life when conducting a proportionality analysis can be even more difficult in the context of cyber operations as compared to more traditional, i.e. physical, means or methods of warfare. This however does not discharge those planning and coordinating attacks from taking into account their foreseeable direct and indirect effects."^[13]

Principle of precautions[edit | edit source]

"The basic principles governing the conduct of hostilities, including by cyber means, such as the principles of distinction, proportionality, precautions in attack and the prohibition of unnecessary suffering and superfluous injury, apply to cyber attacks in international as well as in non-international armed conflicts."^[14]

"A corollary to the prohibition of indiscriminate cyber attacks is the duty to take constant care to spare the civilian population, civilians and civilian objects during hostilities involving cyber operations.

Those who plan, approve or execute attacks must take all feasible precautions in the choice of means and methods with a view to avoiding, and in any event minimizing, incidental loss of civilian life, injury to civilians and damage to civilian objects. This might encompass gathering intelligence on the network in question through mapping or other processes in order to assess the attack’s likely effects. Also, the inclusion of a deactivation mechanism or a specific configuration of the cyber tool which limits the effects on the intended target might be considered. Moreover, if it becomes apparent that the target is not a military one or is subject to special protection, those who plan, approve or execute the cyber attack must refrain from executing or suspend the attack. The same applies when the attack may be expected to cause excessive collateral damage to civilians and civilian objects.

The obligation to take precautions in attack is complemented by the obligation to conduct weapon reviews of any new means or method of cyber warfare to determine whether its employment would, in some or in all circumstances, be prohibited by international law. The findings of such reviews, to the extent that they identify legal constraints for the employment of means and methods in particular operational settings, should serve as a basis for operational planning. However, the means and methods used in cyber warfare are typically tailored to their targets, as they generally involve exploiting vulnerabilities that are specific to the target and the operational context. This entails that the development of means or the adoption of the method will often coincide with the planning of a concrete operation. Thus, the obligation to take precautions in attack and the requirement of a legal review remain separate requirements, but may overlap in substance.^[15]

Means and methods of warfare[edit | edit source]

"A corollary to the prohibition of indiscriminate cyber attacks is the duty to take constant care to spare the civilian population, civilians and civilian objects during hostilities involving cyber operations.

Those who plan, approve or execute attacks must take all feasible precautions in the choice of means and methods with a view to avoiding, and in any event minimizing, incidental loss of civilian life, injury to civilians and damage to civilian objects. This might encompass gathering intelligence on the network in question through mapping or other processes in order to assess the attack’s likely effects. Also, the inclusion of a deactivation mechanism or a specific configuration of the cyber tool which limits the effects on the intended target might be considered. Moreover, if it becomes apparent that the target is not a military one or is subject to special protection, those who plan, approve or execute the cyber attack must refrain from executing or suspend the attack. The same applies when the attack may be expected to cause excessive collateral damage to civilians and civilian objects."^[16]

Legal review of cyber weapons[edit | edit source]

"The obligation to take precautions in attack is complemented by the obligation to conduct weapon reviews of any new means or method of cyber warfare to determine whether its employment would, in some or in all circumstances, be prohibited by international law. The findings of such reviews, to the extent that they identify legal constraints for the employment of means and methods in particular operational settings, should serve as a basis for operational planning. However, the means and methods used in cyber warfare are typically tailored to their targets, as they generally involve exploiting vulnerabilities that are specific to the target and the operational context. This entails that the development of means or the adoption of the method will often coincide with the planning of a concrete operation. Thus, the obligation to take precautions in attack and the requirement of a legal review remain separate requirements, but may overlap in substance."^[17]

Attribution[edit | edit source]

"Attributing a cyber incident is of critical importance as a part of holding States responsible for wrongful behaviour and for documenting norm violations in cyberspace. It is also a prerequisite for certain types of responsive action. As regards the attribution of certain acts to States under international law, Germany applies the relevant customary law rules on State responsibility also to acts in cyberspace, subject to any lex specialis provisions. Inter alia, cyber operations conducted by State organs are attributable to the State in question. The same applies with regard to persons or entities which are empowered by the law of a State to exercise elements of the governmental authority and act in that capacity in the particular instance. Attribution is not excluded because such organ, person or entity acting in an official capacity exceeds its authority or contravenes instructions – cyber operations conducted ultra vires are likewise attributable to the State in question. This applies a maiore ad minus when only parts of an operation are ultra vires.

[...]

Moreover, cyber operations conducted by non-State actors which act on the instructions of, or under the direction or control of, a State are attributable to that State. The same principles apply as in the physical world: if a State recurs to private actors in order to commit an unlawful deed, the actions by the private actor will regularly be attributable to the State. States should recognize that they are accountable for the actions of proxies acting under their control. The State must have control over a specific cyber operation or set of cyber operations conducted by the non-State actor. While a sufficient degree or intensity of such control is necessary, the State is not required to have detailed insight into or influence over all particulars, especially those of a technical nature, of the cyber operation. A comprehensive assessment of the circumstances of the individual case will be necessary to establish an attributive link.

[...]

The application of the international rules on State responsibility and hence the act of formally attributing a malicious cyber operation to a State under international law is first and foremost a national prerogative; however, international cooperation and exchange of information with partners in this regard can be of vital importance. In practice, establishing the facts upon which a decision on attribution may be based is of specific concern in the context of cyber operations since the author of a malicious cyber operation may be more difficult to trace than that of a kinetic operation. At the same time, a sufficient level of confidence for an attribution of wrongful acts needs to be reached. Gathering relevant information about the incident or campaign in question has a technical dimension and may involve processes of data forensics, open sources research, human intelligence and reliance upon other sources – including, where applicable, information and assessments by independent and credible non-state actors. Generating the necessary contextual knowledge, assessing a suspected actor’s motivation for conducting malicious cyber operations and weighing the plausibility of alternative explanations regarding the authorship of a certain malicious cyber act will likewise be part of the process. All relevant information should be considered.

Germany agrees that there is no general obligation under international law as it currently stands to publicize a decision on attribution and to provide or to submit for public scrutiny detailed evidence on which an attribution is based. This generally applies also if response measures are taken. Any such publication in a particular case is generally based on political considerations and does not create legal obligations for the State under international law. Also, it is within the political discretion of a State to decide on the timing of a public act of attribution. Nevertheless, Germany supports the UN Group of Governmental Experts’ position in its 2015 report that accusations of cyber-related misconduct against a State should be substantiated. States should provide information and reasoning and – if circumstances permit – attempt to communicate and cooperate with the State in question to clarify the allegations raised. This may bolster the transparency, legitimacy and general acceptance of decisions on attribution and any response measures taken.

Attribution in the context of State responsibility must be distinguished from politically assigning responsibility for an incident to States or non-State actors: Generally, such statements are made at the discretion of each State and constitute a manifestation of State sovereignty. Acts of politically assigning responsibility may occur in cooperation with partners. As regards attribution in the legal sense, findings of national law-based (court) proceedings involving acts of attribution, for example in the context of criminal liability of certain office holders or non-State actors, may serve as indicators in the process of establishing State responsibility. However, it should be borne in mind that the criteria of attribution under international law do not necessarily correspond to those under domestic law and that additional or specific criteria are generally relevant when establishing State responsibility for individually attributed conduct. Moreover, the adoption of targeted restrictive measures against natural or legal persons, entities or bodies under the EU Cyber Sanctions Regime does not as such imply the attribution of conduct to a State by Germany in a legal sense."^[18]

Responsibility of a State for the conduct of another State[edit | edit source]

"Generally, the mere (remote) use of cyber infrastructure located in the territory of a State (forum State) by another State (acting State) for the implementation of malicious cyber operations by the latter does not lead to an attribution of the acting State’s conduct to the forum State. However, the forum State may under certain circumstances incur responsibility on separate grounds, for example if its conduct with regard to another State’s use of its cyber infrastructure for malicious purposes qualifies as aid or assistance. This inter alia applies if the forum State actively and knowingly provides the acting State with access to its cyber infrastructure and thereby facilitates malicious cyber operations by the other State."^[19]

Retorsion[edit | edit source]

"A State may engage in measures of retorsion to counter a cyber operation carried out against it. Retorsions are unfriendly acts directed against the interests of another State without amounting to an infraction of obligations owed to that State under international law. Since retorsions are predominantly rooted in the political sphere, they are not subject to such stringent legal limitations as other types of response such as countermeasures.

Measures of retorsion may be adopted to counter (merely) unfriendly cyber operations perpetrated by another State. They may likewise be enacted in reaction to an unlawful cyber operation if more intensive types of response (countermeasures, self-defence) are unavailable for legal reasons (for example, in cases in which counter-measures would be disproportionate) or politically unfeasible. Moreover, they may be adopted as a reaction to an unlawful cyber operation in combination with other types of response, such as countermeasures, as part of a State’s comprehensive, multi-pronged response to malicious cyber activities directed against it."^[20]

Countermeasures[edit | edit source]

"The law of countermeasures allows a State to react, under certain circumstances, to cyber-related breaches of obligations owed to it by another State by taking measures which for their part infringe upon legal obligations it owes to the other State. If certain legal conditions are met, such measures do not constitute wrongful acts under the international law of State responsibility. Germany agrees that cyber-related as well as non-cyber-related breaches of international obligations may be responded to by both cyber and non-cyber countermeasures.

As regards the limitations to countermeasures, Germany is of the opinion that, generally, the same conditions apply as in non cyber-related contexts: In particular, countermeasures may only be adopted against a State which is responsible for an internationally wrongful act in order to induce that State to comply with its obligations arising from its responsibility (in particular cessation of the wrongful act). Also, they must be proportionate and respect fundamental human rights, obligations of a humanitarian character prohibiting reprisals and peremptory norms of international law.

Due to the multifold and close interlinkage of cyber infrastructures not only across different States but also across different institutions and segments of society within States, cyber countermeasures are specifically prone to generating unwanted or even unlawful side effects. Against this background, States must be particularly thorough and prudent in examining whether or not the applicable limitation criteria to cyber countermeasures are met.

A State may – a maiore ad minus – engage in cyber reconnaissance measures in order to explore options for countermeasures and assess the potential risk of side effects if such measures fulfil the requirements for countermeasures." ^[21]

Plea of necessity[edit | edit source]

"The wrongfulness of a State’s cyber operation that contravenes its international obligations may be precluded by exception if that State acted out of necessity. This entails that a State may – under certain narrow circumstances – act against malicious cyber operations by resorting, for its part, to active counter-operations even in certain situations in which the prerequisites for countermeasures or self-defence are not met.

The draft articles on State responsibility, which reflect customary law in this regard, inter alia require that the act must be ‘the only way for the State to safeguard an essential interest against a grave and imminent peril’. Whether an ‘interest’ is ‘essential’ depends on the circumstances. Germany holds the view that, in the cyber context, the affectedness of an ‘essential interest’ may inter alia be explained by reference to the type of infrastructure actually or potentially targeted by a malicious cyber operation and an analysis of that infrastructure’s relevance for the State as a whole. For example, the protection of certain critical infrastructures may constitute an ‘essential interest’. It might likewise be determined by reference to the type of harm actually or potentially caused as a consequence of a foreign State’s cyber operation. For example, the protection of its citizens against serious physical harm will be an ‘essential interest’ of each State – regardless of whether a critical infrastructure is targeted or not. Nevertheless, given the exceptional character of the necessity argument, an ‘essential interest’ must not be assumed prematurely.

A case-by-case assessment is necessary to determine whether a peril is ‘grave’. The more important an ‘essential interest’ is for the basic functioning of a State, the lower the threshold of the ‘gravity’ criterion should be. Germany agrees that a ‘grave peril’ does not presuppose the occurrence of physical injury but may also be caused by large-scale functional impairments.

A State, when confronted with a cyber threat, does not yet need to have assessed the total and final damage potential in order to invoke necessity. Necessity may be invoked when the origin of a cyber measure has not (yet) been clearly established; however, States should always make efforts to clarify attribution and (State) responsibility in order to be able to substantiate their grounds for action."^[22]

Self-defence and armed attack[edit | edit source]

"The right to self-defence according to art. 51 UN Charter is triggered if an armed attack occurs. Malicious cyber operations can constitute an armed attack whenever they are comparable to traditional kinetic armed attack in scale and effect. Germany concurs with the view expressed in rule 71 of the Tallinn Manual 2.0.

Furthermore, Germany acknowledges the view expressed in the ICJ’s Nicaragua judgment, namely that an armed attack constitutes the gravest form of use of force. Assessing whether the scale and effects of the cyber operation are grave enough to consider it an armed attack is a political decision taken in the framework of international law. Physical destruction of property, injury and death (including as an indirect effect) and serious territorial incursions are relevant factors. The decision is not made based only on technical information, but also after assessing the strategic context and the effect of the cyber operation beyond cyberspace. This decision is not left to the discretion of the State victim of such a malicious cyber operation, but needs to be comprehensibly reported to the international community, i.e. the UN Security Council, according to art. 51 UN Charter.

The response to malicious cyber operations constituting an armed attack is not limited to cyber counter-operations. Once the right to self-defence is triggered, the State under attack can resort to all necessary and proportionate means in order to end the attack. Self-defence does not require using the same means as the attack which provided the trigger for its exercise.

Acts of non-State actors can also constitute armed attacks. Germany has expressed this view both with regard to the attacks by Al Qaeda and the attacks of ISIS.

In Germany’s view, art. 51 UN Charter requires the attack against which a State can resort to self-defence to be ‘imminent’. The same applies with regard to self-defence against malicious cyber operations. Strikes against a prospective attacker who has not yet initiated an attack do not qualify as lawful self-defence."

Appendixes[edit | edit source]

See also[edit | edit source]

Notes and references[edit | edit source]

Bibliography and further reading[edit | edit source]